I have an app using s2s connection with google calendar api. I need to create an event in different users calendars. To make it possible the user should go to the calendar's settings and share their calendar to the service account.
But I would like to simplify this for the user - so that they don't need to go to their calendar settings. I don't have an interface for the user interaction - it's a bot.
How can I access the user's calendar in another way?
Maybe you can change the role set by the user to the calendar. According to this documentation, the owners of a calendar can share the calendar by giving access to other users. The sharing settings of a given calendar are represented by the ACL collection (access control list) of that calendar. Each resource in the ACL collection grants a specified grantee a certain access role. So the user can make you the writer or owner of their calendar, so that you can access it.
Another way is by using Delegating domain-wide authority to the service account,
If you have a Google Apps domain—if you use Google Apps for Work, for
example—an administrator of the Google Apps domain can authorize an
application to access user data on behalf of users in the Google Apps
domain. For example, an application that uses the Google Calendar API
to add events to the calendars of all users in a Google Apps domain
would use a service account to access the Google Calendar API on
behalf of users. Authorizing a service account to access data on
behalf of users in a domain is sometimes referred to as "delegating
domain-wide authority" to a service account
Related
I am able to create an event in Google Calendar using Service account and Google Calendar API, where Project and Service Account is created in Google Workspace admin account and in the same account, I have enabled domain-wide delegation property. I haven't created separate calendar and haven't given access to Service account. If I use my workspace-google account in createDelegated(), with this event is getting created in 'abc#myworkspace.com' calendar and 'created by' property is also the same for every attendee I have added.
GoogleCredentials googleCredentials = GoogleCredentials
.fromStream(new FileInputStream(CREDENTIALS_FILE_PATH)).createScoped(SCOPES)
.createDelegated("abc#myworkspace.com");
So my question is what if I need to create event for non-workspace google account(lets say def#gmail.com)
Can I pass 'def#gmail.com' into the createDelegated()? If I do, I am getting,
Error getting access token for service account: 400 Bad Request
So how to create event for non-workspace google account?
Note : App type is still 'Internal' in OAuth consent screen.
Could someone explain what am I missing here?
A service account with domain-wide delegation can only be used for domains
A Google Workspace account is a domain, a personal consumer account is not a domain.
Consequently, you can not perform a request on behalf of a consumer account user via a service account.
Instead, you would need to create the event directly as def#gmail.com similar to the documentation sample.
No you can only delgate to an account on your domain
createDelegated("abc#myworkspace.com");
You can not delgate to a standard google account as there would be no way for you to configure the permissions
perform-google-workspace-domain-wide-delegation-of-authority
Perform Google Workspace Domain-Wide Delegation of Authority
Note: Only users with access to the Admin APIs can access the Admin SDK Directory API, therefore your service account needs to impersonate one of those users to access the Admin SDK Directory API. Additionally, the user must have logged in at least once and accepted the Google Workspace Terms of Service.
Owner vs attendee.
A service account properly delegated. Will have permission to create an event on behalf of a user in the domain that they have been delegated permission.
Example: I have delegated permission to my service account to user User1#myDomain.com. For all intensive purposed the service account now has all permissions of User1. So the service account can create a new event on behalf of user1 and invite anyone to the event they choose.
As there is no way to set up deligation to user2#gmail.com there is no way for the service account to act like this user as it is a standard gmail user.
The only way for an application to create an event on behalf of user2#gmail.com would be to use Oauth2 and request consent of User2#gmail.com to access their private data. Then the application would be able to create a new event on behalf of User2#gmail.com.
Remember this is creating an event. There is nothing stopping the service account delegated as user1#mydomain.com from inviting user2#gmail.com to the event. user2#gmail.com will then be notified that they have been invited to the event they can then decide if they want to attend or not if they accept it then it will appear in their google calendar account. Notice how user2#gmail.com had to manually accept this. User1#mydomain.com did not have to manually accept that the event was created in their google calendar as the service account was acting on their behalf.
I want to access the entire events existing in a calendar of a gsuite domain. I tried using domain deligation with service account and it allows me to assume a user and get all of its events but i want to fetch the entire events in a gsuite account.
In order to achieve your task, you should create a service account which impersonates the admin of the domain.
Afterwards, you can retrieve the users of the domain by making use of the Admin SDK.
GET https://admin.googleapis.com/admin/directory/v1/users
Based on the list you get, you can get the events from the calendar of each user.
GET https://www.googleapis.com/calendar/v3/calendars/calendarId/events
Where, calendarId is the email of one of the users from the domain.
Reference
Admin SDK users.list;
Calendar API events.list.
I'm working on one school app. I'm able to create events using google calender API with NodeJS. I created the clientID and secretID on the school google account. Every time event is created, only the admin has access to start the meeting. But I want teachers(who are creating the event) to be the organizer. How can I achieve this?
The organizer field of an event is a read-only field. You can use the move action to move the event and change the organizer but this can only be done if the authenticated user has write access to the destination calendar.
A solution would be to use a service account and perform domain wide delegation. In this way you will be able to impersonate the user in question and organize the event wanted.
According to the Service accounts documentation:
A service account is a special kind of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls.
As for performing domain-wide delegation, you might want to take a look into this:
In enterprise applications you may want to programmatically access users data without any manual authorization on their part. In G Suite domains, the domain administrator can grant to third party applications domain-wide access to its users' data — this is referred as domain-wide delegation of authority. To delegate authority this way, domain administrators can use service accounts with OAuth 2.0.
Reference
Calendar API - Events:move;
Service Accounts;
Calendar API - Perform G Suite Domain-Wide Delegation of Authority;
Using OAuth 2.0 for Server to Server Applications.
I am new to Google Calendar API, I had created the Service Account for OAuth process and then I get the access token using JWT. Then I try to fetch the calendar list but the response didn't fetch the calendar list. I am using business account with domain. I want to view my organization user calendar list.
Response:
{
"kind": "calendar#calendarList",
"etag": "\"p3208dll2qn2d60g\"",
"nextSyncToken": "CICG1qLVxNMCEjBtZWV0aW5nQHBvbGV0dXMtY2FsZW5kYXIuaWFtLmdzZXJ2aWNlYWNjb3VudC5jb20=",
"items": []
}
The Organization user having the SuperAdmin access.
And I tested with my normal gmail account using service accounts it works for all api requests.
Remember a service account is not you. A service account is a dummy user it has its own Google calendar account. Assuming that you did share the calendar in question with the Service account it may not have been added to the calendar list.
All calendar list is the list on the bottom left hand side of the GUI. Sometimes when you share a calendar with a service account it doesn't get added properly to the calendar list. You can add it yourself via the service account by running calendarlist.insert
Assuming that you have not granted the server account permissions to read the calendar you will need to do so by sharing it like you would any other user using the service account email address.
I need to read/insert events into a specific calendar, using Google API. All registered users (in my app) can read and insert events into the calendar. I don't have to authenticate each user with OAuth 2.0, because the app will not read the user data - only specific account data.
I'm a professor and all my students can read and insert in my calendar. So, they do not need to login (Google Account) to do it, because it's a single account's data.
Is there a way to set a unique key for the main account?
OAuth2 doesn't makes me sense.
Maybe you need a service account here. It is an account that belongs to your application instead of to an individual end-user. Your application calls Google APIs on behalf of the service account, and user consent is not required. (In non-service-account scenarios, your application calls Google APIs on behalf of end-users, and user consent is sometimes required.)
The Calendar API can use the Delegating domain-wide authority to the service account. For example, an application that uses the Google Calendar API to add events to the calendars of all users in a Google Apps domain would use a service account to access the Google Calendar API on behalf of users.
For more information, check these threads:
Delegating domain-wide authority to the service account
How to list Google Calendar Events without User Authentication
Embed Google Calendar only users logged into my website (not necessarily through Google) can see